Service Checks Test

Services configured to use an executable with weak permissions are vulnerable to privilege escalation attacks. An unprivileged user could modify or overwrite the executable with arbitrary code, which would be executed the next time the service is started. Depending on the user that the service runs as, this could result in privilege escalation. This privilege escalation helps malicious attackers in elevating their privileges from initial access (typically, standard User or application account) to Administrator, root, or even full system access, on Windows referred to as NT Authority\System. Hence, it is very crucial to keep vigil on the Windows services, and alert administrators of any potential security threats.

The Service Checks Test monitors the Windows service logs and tracks the number of recently installed programs and services. This test also reports the number of services that were disabled but are still found to be running. In addition, this test helps administrators to keep an eye on the number of Windows services with vulnerable permissions and unquoted Windows services. This way, administrators are promptly alerted to any possible malicious attacks and thus they can proactively eliminate any security threat before it leads to catastrophic outcome.

Target of the test : A Windows host

Agent deploying the test : An internal agent

Outputs of the test : One set of results for the Windows host being monitored

Configurable parameters for the test
Parameter	Description
Test Period	How often should the test be executed.
Host	The host for which the test is to be configured.
Port	The port on which the server is listening. By default, it is given as NULL.
Log Location	Here, specify the path to the log file of the target Windows host. By default, this is set to none. This implies that the eG agent will automatically collect the required metrics from the log file available in the default log file location. If the log file is in a different location, then, you have to explicitly specify the location of the log file in this text box.
Service to be Disabled	Specify the comma-separated list of services that needs to be disabled in the Service to be Disabled text box. Note: When configuring the Service to be Disabled, make sure that you specify the Display Nameof the service, and not the service Name you see in the Services window on your Windows host. When monitoring an Microsoft SQL server, the Service to be Disabled parameter will be set to Microsoft SQLServer by default. However, if the Microsoft SQL server being monitored was installed using a named instance, the SQL service name will change. In such a case therefore, ensure that the Service to be Disabled parameter is reconfigured to reflect the correct service name. To save the time and effort involved in manual service specification, eG Enterprise offers an easy-to-use auto-configure option in the form of a View/Configure button that is available next to the Service to be Disabled text box. Refer to Auto-configuring the Windows Services to be Monitored for details on how to use this option.
DD Frequency	Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD frequency.
Detailed Diagnosis	To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled: The eG manager license should allow the detailed diagnosis capability Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.

Measurements made by the test
Measurement	Description	Measurement Unit	Interpretation
Recently installed programs	Indicates the number of programs that were recently installed.	Number	The detailed diagnosis of this measure provide details of the Service name, and identified time.
Recently installed Windows services	Indicates the number of Windows services that were recently installed.	Number	The detailed diagnosis of this measure provide details of the Service name, and identified time.
Configured disabled services found to be running	Indicates the number of disabled services, configured in Services to be Disabled parameter, that are running.	Number	The detailed diagnosis of this measure provide details of the Service name, and identified time.
Windows services with vulnerable permissions	Indicates the number of services with weak or vulnerable permissions.	Number	The detailed diagnosis of this measure provide details of the Service name, identified time, image path with arguments, and start mode.
Unquoted Windows services	Indicates the number of unquoted windows services.	Number	When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. The detailed diagnosis of this measure provide details of the Service name, identified time, image path with arguments, and start mode.